A bipartisan Congressional committee’s recent report showcases troubling details about police abuse of cell-site simulators, and calls on Congress to pass laws ensuring that this powerful technology is only deployed with a court-issued probable cause warrant.

Cell-site simulators, often called IMSI catchers or Stingrays, masquerade as cell phone towers and trick our phones into connecting to them so police can track down suspect targets, but their use also collects the data and location of innocent bystanders and extracts unnecessary sensitive data in the process.

EFF has long opposed law enforcement’s use of cell-site simulators as incompatible with the protections of the Fourth Amendment because they indiscriminately gather information on countless innocent people who have the misfortune of being in the vicinity of a suspect target. They also disproportionately burden minority communities. Unless and until cellular technology evolves beyond the vulnerability that makes cell-site simulators possible, we’re advocating for strong regulation, transparency, and public oversight of the use of such technology by law enforcement.

Accordingly, EFF applauds Rep. Jason Chaffetz (R-Utah), chairman of the U.S. House Committee on Oversight and Government Reform, along with U.S. Rep. Elijah Cummings (D-Maryland), the ranking member of that Committee, for their recent report on cell-site simulators. The bipartisan committee called on Congress to enact a law requiring a warrant based on probable cause prior to using cell-site simulators in domestic investigations. The report provides new information to the public about these shadowy tools, and recommends important privacy safeguards.

The Many Problems with Cell-Site Simulators

Cell-site simulators “trick” our phones into connecting to them as they would to a cell phone tower in order to log our IMSI numbers (a number which uniquely identifies you on the cellular network), location, and potentially capture the content of our communications. Police most often use cell-site simulators to locate wanted persons. They do so by gathering the IMSI numbers of all phones in the vicinity, until the cell-site simulator finds the IMSI the police are looking for. Then the cell-site simulator targets that IMSI to help police triangulate its location.

Police can also use cell-site simulators for many other purposes. For example, police have used them to identify the IMSI numbers at protests, and thus track the people at the protests who brought their phones. And some cell-site simulators may be configured to capture the content and metadata of our phone calls and text messages. This includes the audio of a cell phone call, the text message sent and received, email message content, and much more.

Cell-site simulators exploit the fact that cellular phones have no way to check whether the cell tower they are connecting to is a “real” cell tower being operated by the phone company. This means that cellular phones can easily be tricked into connecting to a cell site simulator without any indication to the owner. Unfortunately, if police can use fake cell towers to force our phones to leak our private information, there is nothing to stop criminals and foreign nations from learning to do the same (in fact a cell-site simulator can be built right now for about $1,500).

Cell-site simulators are a form of dragnet surveillance that indiscriminately seize information from everyone in the area, innocent and target alike. They may even locate people inside highly protected places like their homes.

EFF has long raised concerns about cell-site simulators. We do so, for example, before courts and the Federal Communications Commission. Last fall, we deployed technologists and lawyers to the Standing Rock Sioux Reservation in North Dakota to investigate possible cell-site simulator surveillance of the Water Protectors.

The House Oversight Committee’s Findings

On December 16, 2016, the House Oversight Committee released its Report on Law Enforcement Use of Cell-Site Simulation Technologies. It calls for Congress to pass legislation that creates a clear, national framework to ensure that cell site simulators do not infringe on citizens’ constitutional rights. But first, it made many important and troubling findings.

The Oversight Report found no uniform standard for the use of cell-site simulators by law enforcement. Also, when the committee first began its investigation in April 2015, “federal law enforcement entities could obtain a court’s authorization to use cell-site simulators by meeting a standard lower than probable cause.” Indeed, a DOJ guidance bulletin, promulgated in 1997 and followed through 2015, took the position that there were no constitutional or statutory limits on police use of cell-site simulators without a warrant—a position with which EFF vehemently disagrees.

Moreover, the Oversight Committee found that state and local agencies frequently sign non-disclosure agreements with cell-site simulator manufacturers and the FBI. These NDAs prohibit the public from learning about cell-site simulator use in domestic investigations and condition possession and use on an agreement to “dismiss a criminal case at the FBI’s request rather than produce information that could compromise the devices.” This means that the government would rather tank its own investigation than reveal the extent of its intrusion into citizens’ privacy for fear of igniting public outcry.

In a criminal prosecution in Wisconsin, EFF helped expose the government’s use of a cell-site simulator—a fact police had kept hidden from the accused and from multiple judges.

The Oversight Report also found that nine federal agencies, mostly within the U.S. Departments of Justice and Homeland Security, spent nearly $100 million between 2010 and 2014 to acquire more than 400 cell-site simulators. Specifically:

The Oversight Report’s other notable findings include:

DHS allows state and local law enforcement to buy cell-site simulators using more than $1.8 million in federal grants, some of which were administered through FEMA.

The majority of states have failed to pass laws requiring law
enforcement to obtain a warrant based on probable cause before using
cell-site simulators.

Many state and local law enforcement agencies get court approval to use
cell-site simulators based on the far less protective “relevance”
standard designed for pen register/trap and trace technology to seize
telephone metadata from service providers.

Cell-site simulators range in cost from $41,500 to $500,000 per unit.

Cell-Site Simulator Policy Changed Only After Public Inquiry

In response to Congressional investigation and just prior to formal Congressional hearings on the issue, DOJ & DHS significantly changed their discretionary internal policies to require a probable cause search warrant before using cell-site simulators – a major about-face from the policy in use since 1997. The new policies also direct that warrant applications explicitly inform courts that police intend to use a cell-site simulator in the search. These are critical limits.

However, one provision of the new guidelines raises concerns. Warrant applications must affirm that law enforcement won’t use data collected on people who aren’t the targets of the investigation “absent further order of the court.” This implies that law enforcement will make investigative use of non-target data if they can get permission from a court to do so. In other words, when agents get a warrant to use a cell-site simulator against a suspect target, and in doing so inevitably capture private phone information from countless innocent bystanders, the new policy still lets agents use that incidentally captured information against those bystanders if they get court permission.

This is tantamount to a general warrant for digital data prohibited by the Fourth Amendment. Such non-target information should actively be separated and purged from storage prior to examination by law enforcement in order to safeguard the constitutional rights of innocent individuals. Law enforcement cannot be permitted to expand its initial search into a dragnet fishing expedition.

The DOJ should strengthen its policy and delete any non-target data retrieved by a cell-site simulator as soon as the target is located without reviewing the non-target data acquired.

While the new voluntary policies of DOJ and DHS are a step in the right direction, they are no substitute for a law passed by Congress. Unlike a federal statute, members of the public cannot enforce them, and the new administration can change them—or get rid of them completely—on a whim.

The Oversight Committee’s Recommendations

After making these findings, and after examining the new DOJ and DHS policies, the Oversight Committee made several helpful recommendations. These include:

DOJ and DHS should not fund or approve cell-site simulator use by state and local law enforcement absent a probable cause warrant requirement.

Non-disclosure agreements with cell-site simulator manufacturers, like the Harris Corporation which makes Stingrays, must be set aside and replaced with agreements that require clarity, transparency, and candor to the court and public.

State and local law enforcement agencies should adopt cell-site simulator policies that are at least as protective as the DHS and DOJ policies.

Federal and state lawmakers should pass legislation that requires probable cause warrants before law enforcement may deploy a cell-site simulator.

Need for Federal Legislation Limiting Cell-Site Simulator Use by Law Enforcement

EFF joins the House Oversight Committee’s recommendation to Congress to pass federal legislation requiring all law enforcement agencies (local, state, and federal) to obtain a warrant based upon probable cause prior to use of CSSs. In addition, EFF encourages Congress to set forth clear guidelines for any exceptions to the warrant requirement so as to make sure that the exceptions of “exigent circumstances,” “the need to protect human life or avert serious injury”, and “hot pursuit of a fleeing felon,” do not swallow the rule requiring warrants.

Of particular concern is law enforcement’s potential use of cell-site simulators against peaceful civil protestors under the guise of such exceptions. Congress should ban the use of cell-site simulators against people who are exercising their First Amendment rights.

Finally, in the interest of maintaining public oversight of law enforcement’s use of such surveillance technology, EFF recommends that Congress enact a transparency policy that requires law enforcement agencies to produce annual reports on the number of times an agency uses cell-site simulators, as well as against whom, when, where, and how.

Long term, we hope that cell service providers will fix their protocols to ensure that cell-site simulators can’t vacuum up data on cell phone usage. But Congress can’t wait until that day to safeguard our privacy.

In a time when civil protest and disobedience is ever increasing, it is critical that our democracy protect the privacy and civil liberties of its citizens against government overreach as technology advances. Please call on Congress to pass a warrant requirement for cell-site simulator use and other intrusive surveillance technologies by emailing your member of Congress today.

Related Updates

Lt. Gen. Paul Nakasone, the new nominee to direct the NSA, faced questions Thursday from the Senate Select Committee on Intelligence about how he would lead the spy agency. One committee member, Senator Ron Wyden (D-OR), asked the nominee if he and his agency could avoid the mistakes of...

It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking. Argentina's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of Asociación por los Derechos Civiles and the...

It’s Argentina's turn to take a closer look at the practices of their local Internet Service Providers, and how they treat their customers’ personal data when the government comes knocking. Argentina's ¿Quien Defiende Tus Datos? (Who Defends Your Data?) is a project of Asociación por los Derechos Civiles and the...

There’s a new, proposed backdoor to our data, which would bypass our Fourth Amendment protections to communications privacy. It is built into a dangerous bill called the CLOUD Act, which would allow police at home and abroad to seize cross-border data without following the privacy rules where the data is...

EFF and 23 other civil liberties organizations sent a letter to Congress urging Members and Senators to oppose the CLOUD Act and any efforts to attach it to other legislation. The CLOUD Act (S. 2383 and H.R. 4943) is a dangerous bill that would tear away global privacy...

The Supreme Court of India has commenced final hearings in the long-standing challenge to India's massive biometric identity apparatus, Aadhaar. Following last August’s ruling in the Puttaswamy case rejecting the Attorney General's contention that privacy was not a fundamental right, a five-judge bench is now weighing in on...

We need to talk about national security secrecy. Right now, there are two memos on everyone’s mind, each with its own version of reality. But the memos are just one piece. How the memos came to be—and why they continue to roil the waters in Congress—is more important. On January...

Today Google launched a new version of its Chrome browser with what they call an "ad filter"—which means that it sometimes blocks ads but is not an "ad blocker." EFF welcomes the elimination of the worst ad formats. But Google's approach here is a band-aid response to the crisis of...

The U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) Privacy Office, and Office of Field Operations recently invited privacy stakeholders—including EFF and the ACLU of Northern California—to participate in a briefing and update on how the CBP is implementing its Biometric Entry/Exit Program.
As we’ve written ...